IN THE CLAIMS: 

Please amend the claims as follows: 

1 . (Currently Amended) A computer-implemented method for protecting computer code 
from malicious retrievers, the method comprising the steps of: 
observing a plurality of retrieval commands that access the computer code; 
observing responses to the plurality of retrieval commands generated by the computer 
code; 

deriving from the plurality of retrieval commands and the responses a set of retrieval 
information, the set of retrieval information comprising input vectors 
characterizing the plurality of retrieval commands; 

converting the set of retrieval information into at least one rule for determining 
whether retrieval commands are acceptable; 

generating retrieval information characteristic of data sent to a retriever by the 

computer code in response to a retrieval command issued by the retriever, the 
retrieval information comprising an input vector characterizing the retrieval 
command; 

determining whether the retrieval command is acceptable using at least some of the 
retrieval information as an input to the at least one rule; and 

responsive to the retrieval command being not acceptable, performing at least one of 
the following: 

sending a message to a user or a computer, 
updating a log, 
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restricting the retrieval command from accessing the computer code, 
allowing the retrieval command limited access to the computer code, 
augmenting the command, and 
investigating a sender of the command. 

2. (Original) The method of claim 1 wherein the retrieval information comprises a 
retrieval vector. 

3. (Original) The method of claim 2 wherein the retrieval vector comprises at least one 
of the following: 

number of rows in the retrieval; 
number of columns in the retrieval; 
number of tables in the retrieval; 
identification of columns in the retrieval; 
identification of tables in the retrieval. 

4. (Original) The method of claim 1 wherein the retrieval information comprises 
statistical information. 

5. (Original) The method of claim 4 wherein at least some of the statistical information 
is contained in a state table. 

6. (Original) The method of claim 4 wherein a plurality of retrieval commands are 
issued, and the statistical information comprises at least one of the following: 
rate of retrieving rows from the computer code; 

rate of retrieving columns from the computer code; 
rate of retrieving tables from the computer code; 
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average number of rows retrieved per retrieval command for a given input vector, 

where an input vector contains parameterized information characteristic of the 
retrieval command; 

average number of columns retrieved per retrieval command for a given input vector; 
average number of tables retrieved per retrieval command for a given input vector; 
percentage of retrieval commands for which a given column is accessed; 
percentage of retrieval commands for which a given table is accessed; 
percentage of retrieval commands for which a given combination of columns is 
accessed; 

percentage of retrieval commands for which a given combination of tables is 
accessed. 

7. (Previously Presented) The method of claim 1 wherein the at least one rule is also 
accessed by an input vector containing parameterized information characteristic of the 
retrieval command. 

8. (Original) The method of claim 7 wherein the input vector is extracted from a 
retrieval command by at least one technique from the group of techniques comprising 
real-time auditing and in-line interception. 

9. (Previously Presented) The method of claim 7 wherein the at least one rule is 
accessed by at least two input vectors, each input vector being associated with the 
same retrieval command. 

10. (Original) The method of claim 7 wherein the input vector comprises at least one 
parameter from the group of parameters comprising: 

canonicalized commands; 
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dates and times at which commands access the computer code; 

logins of users that issue commands; 

identities of users that issue commands; 

departments of users that issue commands; 

applications that issue commands; 

IP addresses of issuing users; 

identities of users accessing a given field within the computer code; 

times of day that a given user accesses a given field within the computer code; 

fields accessed by commands; 

combinations of fields accessed by commands; 

tables within the computer code accessed by commands; 

combinations of tables within the computer code accessed by commands. 

1 1 . (Original) The method of claim 10 wherein a canonicalized command is a retrieval 
command stripped of literal field data. 

12. (Currently Amended) The method of claim 1 , further comprising whoroin sending a 
message to a user or a compute r, and further comprises sending an alort to a system 
administrator, and whoroin updating a log further comprises updating an audit log . 

13. (Original) The method of claim 1 wherein the computer code is a database. 

14. (Original) The method of claim 13 wherein the retrieval command is a SQL 
command. 

15. (Previously Presented) The method of claim 1 wherein deriving from the plurality of 
retrieval commands and the responses a set of retrieval information further comprises 
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deriving from the plurality of retrieval commands and the responses a set of retrieval 
information based on a set of preselected set of parameters. 

16. (Previously Presented) The method of claim 15 wherein the at least one rule 
comprises at least one rule derived from statistical information of the set of retrieval 
information. 

17. (Previously Presented) The method of claim 15 wherein deriving from the plurality of 
retrieval commands and the responses the set of retrieval information and converting 
the set of retrieval information into the at least one rule for determining whether the 
retrieval commands are acceptable are performed in real time. 

18. (Previously Presented) The method of claim 1 wherein the input vectors are extracted 
from the plurality of retrieval commands by at least one technique from the group of 
techniques comprising real-time auditing and in-line interception. 

19. (Previously Presented) The method of claim 1 wherein observing the plurality of 
retrieval commands comprises at least one of: 

real-time auditing; and 
in-line interception. 

20. (Previously Presented) The method of claim 1 wherein the step of observing the 
plurality of retrieval commands comprises real-time auditing; and at least one of the 
following is used to extract the plurality of retrieval commands for observation: 

an API that accesses the computer code; 

code injection; 

patching; 

direct database integration; 
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log file examination. 

21 . (Previously Presented) The method of claim 1 wherein the step of observing the 
plurality of retrieval commands comprises in-line interception; and at least one of the 
following is interposed between senders of the plurality of retrieval commands and 
the computer code: 

a proxy; 
a firewall; 
a sniffer. 

22. (Previously Presented) The method of claim 1 wherein the step of observing 
responses to the plurality of retrieval commands comprises at least one of: 
real-time auditing; and 

in-line interception. 

23. (Previously Presented) The method of claim 1 wherein the step of observing 
responses to the plurality of retrieval commands comprises real-time auditing; and at 
least one of the following is used to extract the plurality of retrieval commands for 
observation: 

an API that accesses the computer code; 

code injection; 

patching; 

direct database integration; 
log file examination. 

24. (Previously Presented) The method of claim 1 wherein the step of observing 
responses to the plurality of retrieval commands comprises in-line interception; and at 
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least one of the following is interposed between senders of the plurality of retrieval 
commands and the computer code: 
a proxy; 
a firewall; 
a sniffer. 

25. (Previously Presented) The method of claim 1 wherein a duration of performing 
deriving from the plurality of retrieval commands and the responses the set of 
retrieval information and converting the set of retrieval information into the at least 
one rule for determining whether the retrieval commands are acceptable is determined 
by statistical means. 

26. (Previously Presented) The method of claim 25 wherein: 
during the duration, suspicious activity is tracked; and 

the suspicious activity is subsequently reported to a system administrator. 

27. (Original) The method of claim 1 wherein the generating step comprises at least one 
of: 

real-time auditing; and 
in-line interception. 

28. (Previously Presented) The method of claim 1 wherein the at least one rule comprises 
at least one rule provided by a system administrator. 

29. (Previously Presented) The method of claim 1 wherein the at least one rule comprises 
at least one rule provided by a vendor. 

30. (Previously Presented) The method of claim 1 wherein the at least one rule comprises 
a pre-established rule table pertaining to retrievals. 
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3 1 . (Currently Amended) A computer-readable medium containing computer program 
instructions for protecting computer code from malicious retrievers, the computer 
program instructions performing the steps of: 

observing a plurality of retrieval commands that access the computer code; 
observing responses to the plurality of retrieval commands generated by the computer 
code; 

deriving from the plurality of retrieval commands and the responses a set of retrieval 
information, the set of retrieval information comprising input vectors 
characterizing the plurality of retrieval commands; 

converting the set of retrieval information into at least one rule for determining 
whether retrieval commands are acceptable; 

generating retrieval information characteristic of data sent to a retriever by the 

computer code in response to a retrieval command issued by the retriever, the 
retrieval information comprising an input vector characterizing the retrieval 
command; 

determining whether the retrieval command is acceptable using at least some of the 
retrieval information as an input to the at least one rule; and 

responsive to the retrieval command being not acceptable, performing at least one of 
the following: 

sending a message to a user or a computer, 
updating a log, 

restricting the retrieval command from accessing the computer code, 
allowing the retrieval command limited access to the computer code, 
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augmenting the command, and 

investigating a sender of the command. 
32. (Currently Amended) Apparatus for protecting computer code from malicious 
retrievers, the apparatus comprising: 
a computer processor; 

a training module configured to be executed by the computer processor for observing 
a plurality of retrieval commands that access the computer code, observing 
responses to the plurality of retrieval commands generated by the computer 
code, and deriving from the plurality of retrieval commands and the responses 
a set of retrieval information, the set of retrieval information comprising input 
vectors characterizing the plurality of retrieval commands; 

a computation module configured for converting the set of retrieval information into 
at least one rule for determining whether retrieval commands are acceptable, 
the at least one rule associated with a input vector, generating retrieval 
information characteristic of data sent to a retriever by the computer code in 
response to a retrieval command issued by the retriever, the retrieval 
information comprising an input vector characterizing the retrieval command, 
and responsive to the input vector of the retrieval information matching the 
input vector associated with the at least one rule, determining whether the 
retrieval command is acceptable using at least some of the retrieval 
information as an input to the at least one rule; and 

a post flagging module communicatively connected with the training module and the 
computation module, the post flagging module configured for responsive to 
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the retrieval command being not acceptable by performing at least one of the 
following: 

sending a message to a user or a computer, 
updating a log, 

restricting the retrieval command from accessing the computer code, 
allowing the retrieval command limited access to the computer code, 
augmenting the command, and 
investigating a sender of the command. 
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